A network device allows inbound connections from external addresses to a computer on a local network while forbidding output connections from the computer to that external address unless preceded by an inbound connection therefrom. In some embodiments, the computer is allowed to accept inbound connections from external addresses but is not permitted to initiate outbound connections to other computers in the local network unless preceded by an inbound connection. In some embodiments, a request from an external address is processed by the network device by transmitting network information for the computer to the external address and temporarily changes network rules to allow connections from the external address. In some embodiments, if the computer attempts a disallowed connection, the connection attempt is routed through a proxy server by providing network data for the proxy server to the computer.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A first device for networking coupled to a local network and having at least one connection to an external network, the first device including a non-transitory computer readable medium storing a computer program having computer executable instructions for causing the first device to: (a) receive one or more inbound connections, each inbound connection being addressed to a second device coupled to the local network and received from a source address in the external network and outside of the local network, (b) record the source address as one of one or more stored source addresses for the one or more inbound connections; and (c) for each outbound connection of one or more outbound connections received from the second device: (i) compare an external address of the each outbound connection to the one or more stored source addresses for the one or more inbound connections, the external address of the each outbound connection being in the external network; (ii) in accordance with the external address matching any of the one or more stored source addresses, permit transmission of the each outbound connection to the external address of the each outbound connection; and (iii) in accordance with the external address not matching any of the one or more stored source addresses, block transmission of the each outbound connection to the external address of the each outbound connection.
2. The first device of claim 1 , wherein the computer program further includes computer executable instructions for causing the first device to: for each outbound connection of the one or more outbound connections: in accordance with the external address of the each outbound connection being included in a white list, permit the each outbound connection to the external address of the each outbound connection; and in accordance with the external address of the each outbound connection not being included in a white list, block the each outbound connection; and permit at least a portion of the one or more inbound connections having the source addresses thereof not included in the white list.
3. The first device of claim 2 , wherein the whitelist stores one or more network identifiers each including at least one of a domain name, an internet protocol (IP) address and port.
4. The first device of claim 1 , wherein the computer program further includes computer executable instructions for causing the first device to permit those of the one or more outbound connections from the second device having a first external address preceded by an inbound connection of the one or more inbound connections having the source address thereof that is the first address and to block one or more subsequent outbound connections from the second device to addresses different from the first address, including addresses different from the first address that were in the source address of previously-received inbound connections of the one or more inbound connections.
5. The first device of claim 1 , wherein the computer program further includes computer executable instructions for causing the first device to permit each outbound connections of the one or more outbound connections from the second device only if an inbound connection referencing from the external address of the each outbound connections uses a specific destination port from a set of ports specified in the first device.
6. The first device of claim 1 , wherein the computer program further includes computer executable instructions for causing the first device to block each outbound connection of the one or more outbound connections from the second device and to allow the second device to accept inbound connections of the one or more inbound connections having the source address thereof in the external network.
7. The first device of claim 1 , wherein the computer program further includes computer executable instructions for causing the first device to: block connection attempts from an HTTP client to remote devices in the external network, while allowing connections from the remote devices to reach an HTTP server.
8. The first device of claim 1 , wherein the first device comprises at least one of a gateway, a router, a bridge, a switch and a firewall.
9. A first device coupled to a local network, the first device including a non-transitory computer readable medium storing a computer program having computer executable instructions for causing the first device to: (a) accept one or more inbound connections from external IP addresses outside of the local network; (b) detect an outbound connection request from a second device to another device on the local network, wherein the second device is coupled to the local network; (c) allow the outbound connection when an inbound connection of the one or more inbound connections both referenced the second device and was previously received from one of the external IP addresses; and (d) block the outbound connection when none of the one or more inbound connection connections both reference the second device and were previously received from one of the external IP addresses.
10. The first device of claim 9 , wherein the computers within the local network include a first group of devices and a second group of devices; wherein the computer program further includes computer executable instructions for causing the first device to apply first rules to a first group of devices in the local network and second rules to a second group of devices on the local network, the first rules being different form the second rules such that the first device blocks connections from the first group to the second group, but allows local connections from the second group to the first group.
11. The first device of claim 9 , wherein the first device is one of a gateway, a router, a bridge, a switch, a proxy and a firewall.
12. The first device of claim 9 , wherein the computer program further includes computer executable instructions for causing the first device to identify the computers on the local network by information obtained from at least one of Address Resolution Protocol (ARP), multicast Domain Name Service (mDNS), and Simple Service Discovery Protocol (SSDP).
13. The first device of claim 9 , wherein the computer program further includes computer executable instructions for causing the first device to identify at least one computer from the computers on the local network by a name and description of the at least one computer.
14. The first device of claim 9 , wherein the computer program further includes computer executable instructions for causing the first device to block one or more local connections by blocking at least one data packet from a computer of the computers on the local network that initiated the one or more local connections.
15. The first device of claim 9 , wherein the computer program further includes computer executable instructions for causing the first device to block one or more local connections by blocking at least one data packet from a computer of the computers on the local network transmitted in response to the one or more local connections.
16. The first device of claim 9 , wherein the computer program further includes computer executable instructions for causing the first device to identify the second device as initiating the outbound connection by analyzing information about packets previously sent or received by the second device.
17. The first device of claim 9 , wherein the computer program further includes computer executable instructions for causing the first device to identify the second device as initiating the outbound connection if the second device has sent a packet to a first address of the outbound connection without previously receiving a packet from the first address within at least a pre-defined time interval.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 16, 2018
January 28, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.